Is CVE-2021-37136 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 6%.

What products does CVE-2021-37136 affect?

Tracked products affected include Quarkus, PeopleSoft Enterprise PeopleTools. Check the version you run to see whether it is affected.

How do I fix CVE-2021-37136?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

← All products

CVE-2021-37136

Q: What is CVE-2021-37136?

CVE-2021-37136 is a high-severity software vulnerability (Uncontrolled resource consumption) with a CVSS score of 7.5. The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can

HIGH severity · CVSS 7.5 · Uncontrolled resource consumption

7.5CVSS HIGH

Summary

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactNone

Integrity impactNone

Availability impactHigh

Exploit probability (EPSS)6%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products we track (2)

Quarkus PeopleSoft Enterprise PeopleTools

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vvAdvisory
https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlAdvisory